//go:build integration package auth_test import ( "context" "testing" "github.com/ultisuite/ulti-backend/internal/integrationtest" "github.com/ultisuite/ulti-backend/internal/users" ) func TestPlatformAdminAccessAfterGrant(t *testing.T) { h := integrationtest.RequireHarness(t) externalID := integrationtest.NewExternalID("plat-admin") claims := integrationtest.RegularUser(externalID) if _, err := users.EnsureUser(context.Background(), h.Pool, claims); err != nil { t.Fatalf("ensure user: %v", err) } if err := users.GrantPlatformAdmin(context.Background(), h.Pool, externalID); err != nil { t.Fatalf("grant platform admin: %v", err) } client, err := h.Client(claims) integrationtest.FailIf(err, t, "client") meResp, err := client.Get("/api/v1/users/me") integrationtest.FailIf(err, t, "GET /users/me") integrationtest.FailUnlessStatus(t, meResp, 200) var me map[string]any integrationtest.DecodeJSON(t, meResp, &me) if me["platform_admin"] != true { t.Fatalf("platform_admin = %v, want true", me["platform_admin"]) } statsResp, err := client.Get("/api/v1/admin/stats") integrationtest.FailIf(err, t, "GET /admin/stats") integrationtest.FailUnlessStatus(t, statsResp, 200) } func TestFirstProvisionedUserBecomesPlatformAdmin(t *testing.T) { h := integrationtest.RequireHarness(t) var count int64 if err := h.Pool.QueryRow(context.Background(), `SELECT COUNT(*) FROM users`).Scan(&count); err != nil { t.Fatalf("count users: %v", err) } if count > 0 { t.Skip("database already has users; first-user bootstrap not testable here") } externalID := integrationtest.NewExternalID("bootstrap-admin") claims := integrationtest.RegularUser(externalID) client, err := h.Client(claims) integrationtest.FailIf(err, t, "client") meResp, err := client.Get("/api/v1/users/me") integrationtest.FailIf(err, t, "GET /users/me") integrationtest.FailUnlessStatus(t, meResp, 200) var me map[string]any integrationtest.DecodeJSON(t, meResp, &me) if me["platform_admin"] != true { t.Fatalf("platform_admin = %v, want true", me["platform_admin"]) } }